223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
Size

75KB
MD5

47282e47200fb3e282c2c2034a02ef60
SHA1

0846657fe2f481a4a101955e64f4415461ae466e
SHA256

223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e
SHA512

93d1364f6bc389f7a56e3ef80352c9a968bb49c8d9b5b95e167a1abca4ece66ee5d0823cf41cfac97dbcbb072d587fbbf1b31ff842208d0ab58085bc36afcc0f
SSDEEP

768:W7BlphA7pARFbhvOsTKnKqtb4HBZjlwGpCYnigugqOzM9bdifwMtxEwJjlVki/+:W7ZhA7pApvOsOKM4HBhaGwOQ54xEIjl0

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5038) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ONINTL.DLL.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MEDIA\BOMB.WAV.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Numerics.Vectors.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Java\jre-1.8\bin\management.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Memory.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Retail-ul-phn.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOARIANEXT.DLL.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_OEM_Perp-ppd.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\VISUALIZATIONENGINE.DLL.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAME.DLL.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\Alphabet.xml.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Cng.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-process-l1-1-0.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Text.Encoding.CodePages.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\freebxml.md.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_F_COL.HXK.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.HostIntegration.Connectors.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\index.win32.bundle.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.WebSockets.Client.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.UnmanagedMemoryStream.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp2-ppd.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_PrepidBypass-ppd.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\UIAutomationTypes.resources.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Internet Explorer\ExtExport.exe.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-pl.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\ReachFramework.resources.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Java\jre-1.8\lib\calendars.properties.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTest-pl.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdXC2RVL_MAKC2R-ppd.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\swidtag\Microsoft Windows Desktop Runtime - 7.0.16 (x64).swidtag.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Internet Explorer\fr-FR\ieinstal.exe.mui.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-libraryloader-l1-1-0.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription3-ppd.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp6-ppd.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\msquic.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\WindowsBase.resources.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ul-oob.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Retail-pl.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Diagnostics.Tools.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Client\vccorlib140.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.Classic.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\PresentationFramework-SystemXml.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-phn.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Retail-pl.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdR_Grace-ul-oob.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\cpprestsdk.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Diagnostics.Process.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\UIAutomationProvider.resources.dll.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_MAK-ppd.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Word2019VL_MAK_AE-ul-phn.xrm-ms.tmp	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe

C:\Users\Admin\AppData\Local\Temp\223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe
"C:\Users\Admin\AppData\Local\Temp\223cd2fce22a683b778ec711227da6128a4871d235746b8d7fa456424d9b150e.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2412658365-3084825385-3340777666-1000\desktop.ini.tmp

Filesize
76KB

MD5
e78819a7fd92b3b48bced6925822cf63

SHA1
8981bd55dbdd63fc9553a3247dce2ea98f62ea37

SHA256
9597e3854e508f21940df9b134e27444fdd567b01ccbee4051b2e4deff4ed70c

SHA512
1ba67f4cb00b13eea427dd6dcac8d42700057f3563a28aff71fd173e58a907de5b25cb13461876f7fefad63971fcfd73c8582b2563ae513898a1431f144a4216

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
174KB

MD5
76a7bf8e43a5c1d2ff8ec3290571f83e

SHA1
c9621da5f4554e978474aab87b8f602eea22c545

SHA256
1cd53bf515e5a7d24ae223ca5b0d1ee52bd7dae9ae2d694ea45631b4d86ef307

SHA512
e668b1e01e1da81506b16a43f158d5ff192574a304c2e10a2e317f1d7220f64ce9dc67bd1eb9f3cd4b59def4c89c61c5f8891f2e0a277971cd40fae07f3398f8

Download Submit